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[57] 



ABSTRACT 



The present invention is a secure Web platform (SWP) 
implementing a mandatory access control policy to enable a 
plurality of remote users operating Web browsers Internet 
access to CGI applications in response to HyperText Trans- 
fer Protocol (HTrP) requests. The SWP employs a computer 
having a compartmentalized process and file structure sepa- 
rated in accordance with a mandatory access control policy 
into an outside compartment comprising a Web server 
having a root directory chrooted to a directory tree contain- 
ing only the minimal set of files required to interface the 
SWP with the Internet, and an inside compartment compris- 
ing a plurality of CGI apphcations having root directories 
chrooted to a directory separate from the Web server such 
that the Web server cannot communicate directly with the 
CGI applications, and a trusted gateway agent for commu- 
nicating between the Web server and the CGI applications. 

21 Claims, 3 Drawing Sheets 
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TRUSTED GATEWAY AGENT FOR WEB ing a balance from a checking account, transferring money 

SERVER PROGRAMS from one account to another, or triggering an electronic bill 

payment. Often the CGl application is a simple front-end to 

FIELD OF THE INVENTION a more sophisticated database server connected to a network 

The present invention relates to methods and apparatus ^ internal to the organization (defined as an Intranet), 

for providing a secure environment for operating a World Netscape's Secure Sockets Layer (SSL) protocol, and/or 

Wide Web (WWW) site and, more particularly, to isolating EIT's Secure HTTP(S-HTTP) may be employed to provide 

the Web Server from the application or applications that run security for HTTP communications between a Web browser 

on the Web site. and a Web server. SSL and S-HTTP provide encryption, 

10 authentication, integrity, and confidentiality of traffic 

BACKGROUND OF THE INVENTION between a chent and a server. 

The Web may be thought of as a global village where Additional Internet security may be obtained through the 
computers (hosts) are the buildings, and the world-wide use of a secure operating system. In particular, HP-UX 
computer network known as the Internet forms the streets. 10.09.01 Compartmented Mode Workstation (CMW) sold 
The computers have addresses (IP Addresses)consisting of by Hewlett-Packard Company provides an operating system 
four numbers separated by periods. Many hosts also have that operates in accordance with a Mandatory Access Con- 
nicknames known as domain names. A Web site typically trol (MAC) policy that governs the way data may be 
consists of a UNIX or Microsoft Windows based Web server accessed on a trusted system. The MAC policy is a com- 
that "serves" software or content to other computers at the puterized version of the Department of Defense's long- 
Web site for temporary use. A Web site is not a single standing multilevel security policy for handling classified 
application, but a system that provides access to applications information with labels that reflect sensitivity, to maintain 
and data on the server itself, as well as inside an organiza- those labels or files and processes in the system, and to 
tion. A user utihzes a Web "browser*' to access a Webserver prevent users not cleared for certain levels of classified 
to access anything that the organization wants to make information from accessing it. Under MAC, all information 
available, from general information, to transactions, to on the system is classified to reflect its sensitivity, all users 
access to a customer database. are assigned clearances, and every application runs at a 

no. 1 iUustrates a computer 100 executing a Web specific sensitivity level. Using the MAC policy, the oper- 

browser program 105 that is employed by a user to com- ^^^^ system controls access based on the relative sensitivity 

municate over the Internet 110, in a special language called 3^ ^^e applications ninning and the files they access. 

Hyper Text Transfer Protocol (HTTP) 115, with another Sensitivity labels are associated with every process (an 

computer 120 executing a Web server program 125 to obtain active CGI application manifests itself as a process) and 

data. The most basic Web transaction involves the transmis- filesystem object, and are used as the primary basis for all 

sion of Webpages, written in HyperText Markup Language MAC policy decisions. A sensitivity label represents the 

(HTML) from the Web server 125 to the Web browser 105. 35 sensitivity of a process or a filesystem object and the data 

Upon request by the user at the Web browser 105, the Web each contains. If an apphcation and the file it attempts to 

server 125 translates the HTML-based Webpage into HTTP access have compatible sensitivity labels, it can read, write, 

and sends it over the Internet 110 for display as a Webpage or possible execute the file. Each new process typicaUy 

at the requesting browser 105. While Web Server 125 may inherits the sensitivity label of its parent. For example, if a 

contain encryption features such as Netscape's Secure Sock- program is executed within a shell (for example, sh(l), 

ets Layer or S-HTTP, and a filtering router 130 may be csh(l), or ksh(l), the new process automatically inherits the 

employed between the Web browser 105 and Web server 125 sensitivity label of the shell process. New files always inherit 

for filtering out any messages that aren't HTTP Web traflSc the sensitivity label of the process that creates them. Once 

bound for the SWP, only HTTP 115 communications created, the system provides a special trusted program (the 

between Web server 125 and the Web browser 105 are ^5 File Manager) that may be employed for changing the 

protected. sensitivity label of a file. Most users are allowed to upgrade 

HTML allows any word(s) on any Webpage to refer Sl^s (to change their sensitivity labels upward, so the new 

("link") to any other Webpage, While Webpages do a very sensitivity label dominates the previous one), but are not 

good job of displaying information in the form of text or allowed to downgrade files (to reduce their sensitivity label 

images, they do not handle decisions, for example, confirm- 50 the new label is dominated by the previous label), or to 

ing a correct password and providing for user access or cross grade them (so that the new label is incomparable to 

provide more sophisticated functions such as placing an previous one). 

order for goods or services. Thus, a special programming The effect of the MAC policy is to rigidly control infor- 

interface known as Common Gateway Interface (CGI) 130 mation flow in the system, from process to file to process, to 

is employed to extend the capabilities of the Web server 55 prevent accidental or intentional mislabeling of sensitive 

beyond Webpages alone, allowing a level of interaction that information. To do that, the system compares sensitivity 

HTML alone cannot provide, A typical organization labels to determine if a process can access an object. Any 

employs a combination of CGI appUcations and HTML to time a process tries to read, write, or execute a file, the 

provide a desired service or product. system examines the process and object sensitivity labels 

As an example, the banking industry may employ the 60 consults its MAC rules. For each operation a process 

Internet for on-line banking transactions at a virtual bank. In requests, the system determines if the process has mandatory 

particular, customers at Web sites on the Internet commu- read or mandatory write access to the object. Most restric- 

nicate with a Web server situated outside of the virtual bank tions that the MAC policy enforces can be summarized by 

which then invokes a plurality of bank related CGI apph- the two following rules: 

cations within the virtual bank to process requests related to 65 (1) mandatory read access: A process can read or execute 

data stored within a database within the virtual bank. For a file, search a directory, or (subject to other privilege 

example, one CGI application may be employed for obtain- requirements) read the contents of other objects if the 
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processes sensitivity label dominates the objecl*s. All of CGI application employs the HTTP data stream to commu- 

these operations involve transferring data from the nicate through the gateway server and gateway client to the 

object to the process, so having such access is referred Web browser. 

to as "mandatory read" access. The mandatory access control policy assigns a plurahty of 

(2) mandatory write access: A process can write to a file, 5 sensitivity levels to files within the outside and inside 

remove or create an entry in a directory, or change any compartments. In particular, a sensitivity label of System 

object*s security attributes (including its sensitivity Outside is assigned to any files requiring write access by the 

label), if the processes sensitivity label is the same as Web server, and a sensitivity label of System is assigned to 

the object's. All of these actions involve transferring any files to which the Web server program needs read-only 

data from the process to the object, so having such access, and a sensitivity label of System Inside is assigned 

access is called "mandatory write" access. The first rule to those files that the Web server does not have any access, 

prevents a user who is not cleared for classified infor- The CGI applications will run with a SL of System Inside for 

mation from seeing it. Rule two prevents a user with a those requiring write access and a SL of System for those 

high clearance from revealing information to other with read-only access. 

users with lower clearances. 15 other aspects and advantages of the present invention will 

There exists a need for a trusted operating system that sets become apparent from the following detailed description, 

up access controls that grant, person by person, authoriza- ^ak^n in conjunction with the accompanying drawings, 

tion to perform different tasks, from viewing files to making illustrating by way of example the principles of the inven- 

changes in them to changing a computer network's configu- ^^qq 

ration. 20 

It would be desirable and of considerable advantage to BRIEF DESCRIPTION OF THE DRAWINGS 

provide a mandatory access control policy to segregate the 

Web server from the CGI application that differs from P^^. 1 is a simplified block diagram of a prior art 

traditional methods employing a Web server and a firewall. computer executing a Web browser to communicate HTTP 

A bridge between the Web server and the set of CGI 25 with another computer executing a Web server, 

applications could be advantageous when implemented by FIG. 2 depicts a simplified schematic of the preferred 

use of a trusted gateway agent to take information from a embodiment of the secure Web platform (SWP). 

Web browser's HTTP request to the Web server and make FIG. 3 depicts a flowchart representing the preferred 

that information available to the appropriate CGI application method of the invention, 

specified in the HTTP request, especially if the trusted 30 

gateway agent works in conjunction with a mandatory DESCRIPTION OF THE PREFERRED 

access control policy to isolate the Web server and the CGI EMBODIMENT 

applications to limit the ability of the Web server to invoke r™. . n/ u i /c\wm 

r^r^^ ,1 The mvention provides a secure Web platform (SWP) 

the CGI applications directly. , . * r itt^ hktiv ^A^nm ox^i? *• 

.„ Ji^ , c ,1 e • »u * *u • layered on top of HP UNIX 10.09,01 CMW operating 

It will be apparent from the foregoing that there IS still a \ , • ^ . j . * f v 

, - . . J . . .1 * * system to implement a mandatory access control pohcy 

need for a trusted gateway agent that passes arguments or .i- i r . i_u 

A . X. 1* J . j7 r *i- enabling a plurahty of remote users operatmg Web browsers 

mput data to the CGI application and returns data from the . . * r • * u t ♦ 

^ Kij u Internet access to CGI applications in response to HyperText 

CGI application to the Web server. ^^^^^^^ ^^^^^^^^ ^^^P ^^^^^^^ 

SUMMARY OF THE INVENTION 40 As illustrated in HG. 2, an HP UNIX CMW based 

The present invention is a secure Web platform (SWP) computer 200 (an HP 9000 Series 700 series workstation) 

implementing a mandatory access control policy to enable a incorporates a layered software secure Web platform 202 

plurality of remote users operating Web browsers Internet having a compartmentalized process and file structure sepa- 

access to CGI applications in response to HyperText Trans- rated in accordance with a mandatory access control policy 

fer Protocol (HTTP) requests. The secure Web platform 45 into an outside compartment 205 comprising a Web server 

employs a computer having a compartmentalized process 210 (commercially available from Netscape) having a root 

and file structure separated in accordance with a mandatory directory chrooted to a directory tree containing only the 

access control policy into an outside compartment compris- minimal set of files required to interface the SWP 202 with 

ing a Web server having a root directory chrooted to a the Internet 215, and an inside compartment 220 comprising 

directory tree containing only the minimal set of files 50 a plurality of CGI applications 225 having root directories 

required to interface the SWP with the Internet, and an inside chrooted, prior to execution, to a directory separate from the 

compartment comprising a pluraUty of CGI apphcations Web server 210 such that the Web server 210 cannot 

having root directories chrooted to a directory separate from communicate directly with the CGI applications 225, as well 

the Web server such that the Web server cannot comrauni- as minimizing the ability of the CGI applications from 

cate directly with the CGI applications. The SWP further 55 accessing portions of the SWP 202 that they do not need. A 

comprises a trusted gateway agent for communicating trusted gateway agent 230 is employed for communicating 

between the Web server and the CGI apphcations. The between the outside and the inside compartments, 

trusted gateway agent comprises a gateway client program All files are labeled INSIDE or OUTSIDE (also, labels of 

running in the outside compartment having a plurality of SYSLO or SYSHI are employed in the preferred embodi- 

outside CGI finks to the CGI applications, and a gateway 60 ment but not required to practice the invention), and the 

server program located in the inside compartment, wherein mandatory access control poficy (as dictated by the under- 

the outside CGI links are visible to the Web server and upon lying HPUX 10.09.01 CMW operating system) keeps them 

execution of an outside CGI link, an attempt is made to form in separate compartments to prohibit communication 

a fink between the Web server and the gateway server between them. The mandatory access control policy further 

program, and if accepted, the gateway server creates a new 65 comprising a plurahty of sensitivity labels (SL), wherein a 

process and invokes the corresponding CGI appUcation and SLof System Outside is assigned to any SWP files to which 

connects the HTTP data stream to the CGI appHcation. The the Web server requires write access, a SL of System is 
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assigned to any SWP files to which the Web server program URL of the HTTP request (Step 320). The gateway client 

210 requires read-only access, and a SL of System Inside is 237 verifies that it has been invoked by the Web server 210 

assigned for those SWT files to which the Web servei does and not another application by checking the effective privi- 

nol have any access. All of the programs that run on the Web lege set of its parent process (the Web server 210) for the 
server 210 are also assigned SL's based on where they are 5 nelprivaddr privilege, as the Web server 210 must be running 

executed. In the default configuration, a program running ^th the netprivaddr privilege in order to bind to the local 

"^'^Z ^i;°L?I^™ J^HT^ ""^^^l l'^''^"^ HTTP port, whereas, children of the Web server process do 

an SL of SYSTEM INSIDE. In the default configuration the ^^^t inherit this privilege (a program uses a network port 

compartments have the foUowing relationships: (1) pro- number when communicating) (Step 322). Certain ports are 

grams can always read and write files that reside at the same restricted to use by privileged processes only, such ports are 

SL; (2) programs can never directly write files which have ^^ly ^^^-y^^^^ programs, like the Web server 210. the 

a different SL; (3) programs runnmg at the SYSHI SL can gateway client program 237 and the gateway server program 

read files m any compartment; (4) programs runnmg m the 240, that have the netprivaddr privilege). 

SYSTEM OUTSIDE SL can only read files in the SYSLO ' . . ^ 

J rMTTCTrM- _ ♦ /c\ • * *i- After the connection request IS verined, the gateway cuent 

and OUTSIDE compartments; (5) programs nmnmg at the -11-, 1 . 

TXToirM- err i j ni * .i_ ovoT ^ program 237 then makes a connection to the gateway server 

SYSTEM INSIDE SL can only read files at the SYSLO and ^ ^ -^.4^/0* ^ * -^^i^ 

cvctt:** fXTctrMT cr j /r\ • « *u program 240 (Step 325). The gateway server program 240 

SYSTEM INSIDE SL, and (6) programs running at the ^ . • • . / r j 

cvcT n CT 1 J <:i * *u cvct r\ cf ? c veniies that the connection originated from a reserved or a 

SYSLO SL can only read files at the SYSLO SL. Some of • •. ^ ^ ^ . i- . 

y u .u u * J M- pnvileged port. The gateway client program s argument 

the Webpages used by the Web server are stored with a * j • . / f r j . 

cvci oi u-1 *u 1 . cvoT-cn* iktcii^c vector and envu-onment vector are then transferred to the 

SYSLO SL, while others are kept at the SYSTEM INSIDE on * -t>#n /c* imx . * j 

CT TT,;o K..;^ «o„«c- „ gateway server 240 (Step 330). The vectors are transmitted 

SL. This allows very basic information pages (which may , ^ l t. 

not need as much protection) to be acceLd more quickly ^^""f^ list structure: first the number of elements in the 

and prevent unauthorized modification. The CGI applica- 'l^ ("^ °^^7/*^ ^^'^ . w T 

tions 225 and any databases used by the CGI application are ^^^^'""^ 

kept at an SL of SYSTEM INSIDE. ^nce the argument and environment vectors are 
As depicted in the schematic diagram FIG. 2, the flow- transmitted, the gateway server program 240 consults the 
chart FIG. 3, and the trusted gateway agent program mns tested gateway agent "configuration file (see Appendix C 
(tga.c and tgad.c attached as Appendix A and B, ^^"^P*^ Server Configuration File ) to determine if the 
respectfully), data moves back and forth between a chrooted ^^^^Z'^ ^^^^^^^ P^^S^^™ "^"^^ ^ ^ ^^^^ ^^^^^^^ (Step 335), 
outside compartment 205 and the separate chrooted inside 30 f f.^' ^^"^ P^^S^^"^ ^'^^^^l^ "^'^^ ^.^.^^ attributes 
compartment 220 by invoking the trusted gateway agent (^«°* directory, user and group identity, sensitivity label). 
230, a special security-aware software program that spans Optionally, the gateway server program may compute the 
the control boundary separating inside and outside compart- checksum of the CGI apphcation executable file and com- 
ments. The Web server 210 is restricted from accessing pare it agamst a crjytog^-aphicaUy strong checksum stored m 
non-essential files by changing the root directory during 35 configuration file; if the checksums do not match, the 
initialization (Step 305). In particular, the Web server 220 ^^<\^^^^ is rejected. 

root directory is chrooted such that the files it needs are the If the request is rejected, the gateway server 240 audits the 
only available ones (Step 310). The trusted gateway agent reason for the failure (Step 340) and transmits an error 
may only be invoked by the Web server 210, and the CGI message to the gateway client 237, which then terminates. If 
applications 225 can, in turn, only be invoked by the trusted 40 the request is accepted, the gateway server 240 strips the 
gateway agent 230. The trusted gateway agent 230 is trans- environment of all variables that are not specified by the CGI 
parent to both the Web server 210 and the CGI applications protocol (see Appendix D, entitled "CGI Environment 
225, both of which can function as if the trusted gateway Variables"), sends a "ready" acknowledgment to the gate- 
agent 230 was not present. Notwithstanding, the trusted way client program 237, redirects its standard input, output 
gateway agent must be able to access both the Web server 45 and error to the gateway client program connection, and uses 
210 and the CGI applications 225, The gateway server 240 the exec(2) system call to replace itself with the target CGI 
is initialized directly at system boot time and enabled application 225 that is now chrooted to an inside directory 
whenever the Web server 210 is enabled (Step 315). In (Step 345). 

particular, the gateway server 240 reads its configuration file Upon receipt of the "ready" acknowledgment, the gate- 
(a copy of configuration file "tcb/files/tgad.conf is attached 50 way chent program 237 copies its standard input through the 

as Appendix B) which specifies the attributes of the trusted network connection to the CGI application, and copies the 

gateway agent server 240 process (user ID, group ID, output from that connection to its standard output(acting as 

sensitivity label) as well as the set of CGI applications 225 a "pass- through" filter), llius, the Web server 210 is writing 

that may be run through the trusted gateway agent 230 and (through the gateway client and gateway server) to the 
how to run them. 55 standard input of the CGI application 225, and reading that 

The trusted gateway agent 230 further comprises a gate- application's standard output (Step 350). Since that CGI 

way client program 235 running in the outside compartment application 225 has been invoked with the same argument 

having a pluraUty of outside CGI links 237 to the CGI and environment vectors used to invoke the gateway client 

applications, and a gateway server program 240 located in 237 (which the Web server 210 "thinks" is the real CGI 
the inside compartment 230, wherein the outside CGI links 60 application), the trusted gateway agent 237 is transparent to 

237 are visible to the Web server 210. All of the outside CGI both the Web server 210 and the CGI application 225. 

link 237 directories point to the gateway client 235 and the Additional HTTP requests are handled similarly as they are 

link name identifies the corresponding CGI application 225 received by the Web server 210 (Step 360). 

to execute. While the invention has been described and illustrated 

Upon receipt of an HITP request that corresponds to a 65 with reference to specific embodiments employing a UNIX 

CGI application, the Web server 210 attempts to execute one CMW (Compartment Mode Workstation) based operating 

of the plurality of outside CGI links 237 identified by the system running on an HP 9000 Series 700 workstation, those 
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skilled in the art will recognize that modification and varia- ware. While not disclosed in detail, the Secure Web Platform 

tions may be made such that the invention is equally could also include another Netscape or similarly configured 

applicable to secure Web platforms based on the Microsoft Web server within the inside compartment for interfacing 

Windows NT operating system and most compatible hard- the SWP to an internal Intranet. 
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APPENDIX A 



/tap/tga.c ^ 
/* 

* e{#)80 1.11 tga.c, swp_gw_client , swp_dev 1/19/96 05:21:24, SecureWare. Inc. 

* Secure Web Platofrm Trusted Gateway Agent client application. 

* This is run as a CGI program by the HTTP daemon process. It connects 
to the TGA server, transmits its argument vector and environment, 
then connects its standard input and output to the server 

* which runs the actual CGI program. 

«if SECBASE 

^include <By8/secdef ines .h> 
# include <prot.h> 
ttendif /* SEC_BASE */ 



#include "gateway. h' 
# include <stdio.h> 
^include <8tdlib.h> 
^include <sys/signal.h> 



void 

PipeCleanerO 
{ 

WamCLost connection with server. \n*); 

abort ( ) ; 

exit(l); 

) 



int 

main(ArgC, ArgV, EnvP) 

int ArgC; 

char *ArgVtI; 

char ♦EnvP[I; 

{ 

int IPC; /ft 
Packet AcJc; /* 
char ♦Name; /♦ 
int Result; /* 
priv_t ♦Missing; /* 
char Message [BUFSIZ] ; /* 
char *Msg; /* 



file descriptor for connection to server */ 

ac)cnowledgement from server */ 

pointer to SCRIPT__NAME */ 

our return code */ 

used to check privileges •/ 

place to build an error message */ 

used to point to messages */ 



* we're the client 



tga_client = 1; 



\1 
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/tmp/tga.c 3 



/* set up audit data */ 
AudSetAttributes(ArgV[03 ) ; 

/* 

* Security initialization 
*/ 

#if SEC_BASE 

set_auth_parameters (ArgC, ArgV) ; 

initprivs () ; 
#if SEC_MAC 

inand_init ( ) ; 
#endif /* SEC_^IAC */ 

/* 

* drop all privileges 
*/ 

setef fprivs ( (priv_t *)0, (privet *) 0) r 
/* 

* and make sure we can raise the ones we'll need later 
*/ 

if (Missing = checkprivs (priwec {SEC_JJETPRIVADDR, 
«if SEC_MAC 

SEC_ALLOWMACREAD. SEC_ALLOVraACWRITE, SEC_CVTLABEL, 
SEC_CHSUBJSL, 
#endif /* SEC_MAC */ 
-1))) 

( 

sprintf (Message, "%s ; insufficient privilege: missing %9\n", 

ArgV[0] , privstostr (Missing, ",")); 
AuditFailure (Message) ; 
Die (Message) ; 

} 

ttendif /* SEC_BASE */ 
/* 

* We want to pass a full pathname to the server, if possible, 

* for maximum control over the identity of the CGI program 

* that gets executed by the server. So, if 7^gV[0] is not 

* an absolute pathname, replace it with the SERVER_NAME environment 

* variable defined by the CGI specification (which may not be 

* absolute either, but it will not be euiy worse than the original 

* ArgV[0] . 
♦/ 



03/25/2004, EAST Version: 1.4.1 



13 



5,903,732 



14 



/tnp/tga.c 



if ({ArgV[01[0] != '/') && (Name = getenv( "SCRIPT.NAME" ) ) ) 
ArgV [ 0 j = ge t env ( " SCRI PT_NAME - ) ; 



#if SEC_J1AC 
/* 

* We're executed by the outside HTTPD process, which means we're 

* running at the OUTSIDE sensitivity level. The server 

* runs at the INSIDE sensitivity level, so in order to conirnunicate with 

* it, we need allowmac. 
*/ 

if ( forceprivs (priwec (SEC_JU.LOWMACREAD, SEC^JUiLOWMACWRITE, -1) ,NULL) ) 
{ 

/* 

* The DieO function displays the error message and exits. 
*/ 

Msg="Insuf f icient privilege: client could not raise allowmacXn"; 
Audit Failure (Msg) ; 
Die (Msg) ; 

) 

ftendif /* SEC_MAC */ 
/♦ 

* now connect to the server 
*/ 

if ((IPC = ConnectToServer ( ) ) < 0) 
{ 

/* ConnectToServer ( ) is responsible for auditing the failure details 
Die ("Server connection failed"); 

} 

/* 

* From this point on, the server is responsible for most auditing 
*/ 

/* 

* shut down cleanly if we lose the connection 
*/ 

signal (SIGPIPE, PipeCleaner) ; 
/* 

* transmit our environment and argxjunent vectors 
*/ 

if ( !SendVector(IPC, EnvP) ) 
{ 

(void) shutdowndPC, 2); 

Msg = "Failed to transmit environment vector"; 
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/tnp/tga.c ^ 

AuditFailure(ErrMessage(Msg) ) ; 
Die (Msg); 

} 

/* 

* wait for acknowledgement by server 
*/ 

if (WaitForAckdPC, &Ack) != GATEWAY^CK) 
( 

/* 

* if negative acknowledement , read and display error (server 

* will audit the failure) 
V 

if (Ack.Data =- GATEWAY^AK) 
{ 

Warn ( Reads tring ( IPC ) ) ; 
( void) SendAck ( I PC ) ; 
shutdown (IPC, 2) ; 
exit (EXIT_FAILURE) ; 

) 

} 

if ( !SendVector (IPC, ArgV) ) 
{ 

(void) shutdowndPC, 2); 

Meg = "Failed to transmit argument vector" ; 
AuditFailure(ErrMessage(Msg) ) ; 
Die (Msg) ; 

) 

/* 

* wait for the server to acknowledge receipt of vectors 
*/ 

if (WaitForAckdPC, &Ack) != GATEWAY_ACK) 
/* 

* if negative acknowledement, read and display error (server 

* will audit the failure) 
*/ 

if (Ack.Data GATEWAY^AK) 
t 

Warn ( ReadString ( IPC ) ) ; " 
(void) SendAck (IPC) ; 
shutdown {I PC, 2) ; 
exit (EXIT_FAI LURE) ; 

) 

) 
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/tnp/tga.c 5 



/* 

* tell the server to go ahead and run the program ( 'ACK the ACK" ) 
*/ 

if ( !SendAck(IPCl ) 
{ 

(void) shutdowndPC, 2); 

Msg - "Failed to transmit go-ahead to server*; 
AuditFailure{Msg) ; 
Die (Mag) ; 

) 

/* 

* Now we copy data back and forth between standard I/O and the server 

* First, be optimistic about the results: 
*/ 

Result = EXIT_SUCCESS; 
/* 

* Second, get rid of SIGPIPE handler; let Shovel () handle it if the 

* connection disappears 
*/ 

signal (SIGPIPE, SIG_IGN) ; 
/* 

* Now do the actual "shoveling" of data between stdin/stdout and the 

* socket 
*/ 

if (Shovel (IPC) != SUCCESS) 
{ 

Mag = "Lost connection to server'; 
AuditFailure(ErrMes sage (Msg) ) ; 
Warn ( Msg ) ; 

Result = EXIT_FAILURE; 

1 

/* 

* Explicitly shut down all connections, just to be safe 
*/ 

shutdown (IPC, 2); 
shutdown ( 0 , 2 ) ; 
shutdown ( 1 , 2 ) ; 
shutdown ( 2 , 2 ) ; 

/* 

* exit 
*/ 
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return Result; 

} 
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APPENDIX B 



/tap/tgad.c 1 

/* 9(#)83 1.9 tgad.c, swp_gw_server , swp_dev 1/19/96 09:03:24, SecureWare, Inc. */ 
/* Copyright (C) 1995. All rights reserved. */ 

/* 

* Secure Web Platform Trusted Gateway Agent server 

* Listens for connections on the TC3A port. Accept only 

* those coming from a reserved port on the loopback interface. 

* Spawn a child process to handle each connection. 
* 

* Child takes a request for a CGI program; if valid, it runs that CGI program 

* in an environment determined by the TGA configuration file, with 

* standard input and output connected to the client. 
*/ 

♦include ' server. h" 
/* 

* File descriptor for accepting connections; global so signal handlers 

* can shut it down if needed 
V 

static int Master; 
/* 

* main routine - listen for connections and handle them as they 

* arrive 
*/ 

int 

main (int ArgC, char *ArgV(I) 

{ 

int Client; /* file descriptor for connection to single client */ 

unsigned short Port; /* port number to which to bind ♦/ 
#if SEC_BASE 

priv_t * Mis sing; /* used to check privileges */ 

#endif /* SEC_BASE •/ 

#if SEC_BASE 
/• 

* Security initialization 
*/ 

set_auth_paraitieters(ArgC, ArgV) ; 

initprivs { ) ; 
Hit SEC^MAC 

mand_init ( ) ; 
#endif /* SEC_MAC */ 

/* 
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/ti9[p/tgad.c 2 

* drop all privileges 
*/ 

setef fprivs { (privvec_t *)0, (priwec_t *) 0); 
/* 

* and make sure we can raise the ones we'll need later 
*/ 

if { ! hassavedpriv ( SEC_TRUSTED_PROCESS ) ) 
C 

Audi t ( AUD_ID_STARTUP , AUDIT ^ES_FAI LED , 

■trustedprocess chain broken"); 

Die< "Trustedprocess chain broken\n"); 

} 

if (Missing = checkprivs (priwec (SEC_TRUSTED_PROCESS, SEC_FILESYSOPS, 
SEC_NETPRIVADDR, SEC_ALLOWDACWRITE , SEC_CHSUBJLUID, 
SEC_CHSUBJIDENT, 

#if SECJIAC 

SEC_CVTLABEL, SEC_CHSUBJSL, SEC_ALLOWMACREAD, SEC_ALLOWHACWRITE, 

#if SEC_ILB 

SEC_NOFLOATSUBJ1L, SEC_NOFLOATOBJIL, 
#endif /* SEC_ILB */ 
#endif /* SEC_MAC ♦/ 

-1))) 

{ 

sprint f (Message, "insufficient privilege: missing %s\n", privstostr (Missing, ",")) ; 
Audit (AUD„ID_STARTUP, AUDrT_RES_FArLED, Message); 
Die (Message) ; 

> 

♦endif /♦ SEC_BASE */ 

/* set up port */ 
Port = GATEWAY_PORT; 
if (ArgC > 1) 

Port = atoi(ArgV[l]); 

if ((Master = Listen ( Port ) ) < 0) 
{ 

strcpy (Message, "Listen connection failed"); 
Audit (AUD_ID_STARTUP, AUDIT_RES_FAILED, Message); 
Die (Message) ; 

} 

/* 

* ' "daemonize* ' ourselves - detach from controlling terminal 
*/ 
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/top/tTad.c 3 

Daentonize ( ) ; 
/* 

* Log startup 

sprincf (Message, "Startup: listening on port %ci\n". Port); 
Log (Message) ; 

Audi t ( AUD_I D_STARTUP , AUDIT_RES_SUCCEEDED , Me s s age ) ; 
/* 

* catch SIGCLD 
*/ 

signal (SIGCLD, HandleChildExit) ; 
/• 

* loop forever (or until we get a SIGTERM or unhandled signal 
*/ 

for (;;) 
( 

if ((Client = Accept (Master) ) >= 0) 
{ 

Handle {Client, Master); 

} 

} 

) 

/♦ 

* Function to handle a new connection. Fork a new process, log 

* everything, and return. Child process then runs the Child 

* function to do the actual work of running the CGI program. 
*/ 

int 

Handle (FD, Master) 
int FD; 
int Master; 
( 

int ChildPID; /• forkO return */ 

time^t ConnectTime; /* time connection came in */ 

static unsigned int 

ConnectionCount =0; /* keep a running count of connections */ 

/* 

* if we got to this function, we have a connection - bump the 

* count and log it 
*/ 

ConnectTime - time ( 0 ) ; 
ConnectionCount++ ; 
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/tiqp/tgad.c 4 

sprintf {Message, "got connection %d\n', ConnectionCount ) ; 
Log (Message) : 

Audlnit ( ) 

AudSet (AUD_CONNECT_DATE, iConnectTime) ; 
/* 

* fork a child process to handle this connection 
V 

if ({ChildPID = forkO) < 0} 
C 

sprint f (Message, "connection %d: fork failed* , ConnectionCount); 
AuditFailure (Message) ; 
return 0; 

} 

/* 

* Parent closes the connection to the client and returns 
*/ 

if (ChildPID) 
{ 

close (FD) ; 
return; 

} 

/* -- Child from here on — */ 
/* 

* Log startup 
*/ 

sprintf (Message, "spawned to handle connection %d\n" , ConnectionCount); 
Log (Message) ; 

/* 

* If we're debugging, stop so someone can attach a debugger to us 
ttif DEBUG 

Log ("PAUSE - attach debugger and send SIGUSRlXn"); 
s ignal ( SIGUSRl , no_op ) ; 
pause ( ) ; 
ttendif /* DEBUG */ 

/* 

* close the master accept () socket 
V 

close (Master) ; 
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/tnp/tgad.o 5 

/* 

* and run the child process main function 
*/ 

Child(FD) ; 

} 

/* 

* signal handler for SIGCLD. 
V 
void 

HandleChildExitO 
{ 

int Pid; 
int Status ; 
char Message (BUFSIZ J ; 



/* reap the child */ 
Pid = wait (fiStatus) ; 

/* log its exit status */ 
sprint £ (Message, "Child %d exited with status %d\n* , Pid, 

WEXITSTATUS ( Status ) ) ; 
Log (Message) ; 

/* reinstall the handler for next time */ 
signal (SIGCLD, HandleChildExit) ; 

} 

#if DEBUG 
/* 

* a no-op handlier solely so we can return from a pause {) 
*/ 

void 
no_op ( ) 
{ 
) 

#endif /* DEBUG ♦/ 
/* 

* signal handler for SIGTERM - logs event and shuts down cleanly 
*/ 

void 

Shutdown (int SigNo) 
( 

char Message [BUFSIZ] ; /* private buffer used in case we get a signal 

* while using the common buffer 



Log exit status of finsihed child 



/* Pid of dead child */ 
/* Status of dead child ♦/ 

/* private buffer used in case we get a signal 
* while using the common buffer 
*/ 
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/tnp/tffad.c 6 

*/ 

/* 

* if we recognize the signal, log its name; otherwise log the number 
*/ 

if (SigNo == SIGTERM) 

3 trcpy( Mess age, "Caught SIGTERM - shutting down\n" ) ; 

else 

sprint f (Message, "Caught signal %d - shutting dovm\n" , SigNo); 

Audi t ( AUD_ID_SHUTDOWN , AUDIT_RES_NULL , Message ) ; 
Log (Message) ; 

/* 

* shutdown the main server soclcet 
V 

shutdown[Master, 2); 

/* • 

* and exit 
*/ 

exit (1281-SigNo) ; 



NAME 

OpenLog 



DESCRIPTION 

Open up the log file (if logging is configured) and redirect 
standard output and standard error into it 

PARAMETERS 
None 

RETURN VALUE 
None 

*/ 
void 

OpenLog (void) 
( 

char *FileNaine; /* log file name */ 

int LogFile; /* file descriptor */ 

priwec_t SavePrivs; /* used for privilege bracketing */ 

#if SEC_BASE 
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/tnp/tffAd.c 7 

* we may need privilege Co open the file 
*/ 

if ( f orceprivs (priwec { SEC_^LLOWDACWRITE, 
#if SEC_MAC 

SEC_JlLLOWMACWRITE , 

#if SEC_ILB 

S EC_NOFLOATOB JIL , 

#endif /* SEC^ILB */ 
#endif /* SEC_MAC */ 

-1), SavePrivs) != 0) 

{ 

Quit (Master, "could not open log file; insufficient privilege\n* , 
QUIT_AUDIT) ; 

) 

#endif /* SEC_BASE */ 
/* 

* open the log file for append 
*/ 

/* first make sure logging is. enabled; disable it by default */ 
FileName = "/dev/null"; 

if (Global && Global*>u. server .gw_log) 
( 

if (Global ->u, server .gw_log_file) 

FileName = Global->u . server .gw_log_file ; 

else 

FileName = GATEWAY.LOG; 

) 

LfOgFile = open (FileName, 0_WRONLY| 0_APPEND|0_CREAT. 0600) ; 
/* 

* now drop the privilegess 
*/ 

(void) seteffprivs( SavePrivs, NULL); 
/* 

* abort if we couldn't open the file 
*/ 

if (LogFile < 0) 

Quit (Master, "Could not open log file for writing". QUIT_AUDIT) ; 

/* 

* otherwise redirect output and error into it 
*/ 
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if (dup2 (LogFile, STDOUT_FILENO) != STDOUT_FILENO) 

Quit (Master, "Could not redirect standard output into log file", 
QUIT_AUDIT) ; 

if (dup2 (LogFile, STDE31R_FILEN0| !=« STDERR^FILENO) 

Quit (Master, "Could not redirect standard output into log file". 
QUIT.AUDIT) ; 

} 

/* 

* standard initialization for a daemon process - detach from controlling 

* terminal, process group, etc. We use OpenLog to redirect output 

* to a log file, which conveniently detaches us from the terminal 

* (once we close stdin, too). Once we do all that, we 

* fork and the parent exits, leaving the child to run in the background. 
V 

void 

Daemoni z e ( vo id ) 
{ 

pid_t Pid; /* used to store return value from fork() */ 
/* 

* close input 
*/ 

(void) close (STDIN_FILENO) ; 

/* read the configuration file (and redirect output to log file) */ 
(void) ReadConfO; 

/* 

* disassociate from parent process group 
*/ 

setpgrp ( ) ; 
/* 

* now fork and let the parent exit 
*/ 

if ((Pid = forkO) < 0) 

Die (- fork {) failed"); 

if (Pid) 

exit ( EXIT_SUCCESS } ; 

/* 

* shut down cleanly on SIGTERM; ignore most other signals 
*/ 

signal (SIGTERM, Shutdown); 
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s ignal ( SIGUSR2 , SIG_IGN) ; 

signal (SIGQUIT,SIG_IGN) ; 

signal (SIGINT, SIG.IGN) ; 

s ignal ( SIGHUP , ReadConf ) ; 
ttifdef SIGTSTP 

signal (SIGTSTP, SIG_IGN) ; 

signal (SIGTTIN, SIG_IGN) ; 

signal (SIGrrOU. SIG_IGN); 
ttendif 

) 
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APPENDIX C 



CXiI Eavitomxieia Yexiablcs 



Pestriptti 



on 



AUTH,TYFB 
CXDNTENTJLENGTH 

gjNTHNTjrypE 

GATEWAYja^'ERPACE |[CXH sp 



\\auik-scheme value if ffiithenricatkm wed 



» of the attached 



» of the attached entity 



atxm vcrsKxi 



HTTPS 


Ketsc^ Coimsrcc Seiver*8pedfh; vartebte in£^^ 
Secoie Sockets Later (SSL) eficiyptioa protocd 
oanneccioa 


PATHJNPO I 


resomco or xub-resocrce to be itnimrri by the CXjI script 



QUERY_5TR3NG 



n OS path to the file tfcalhttpd wou ld attempt t o aoceas 



REMOTE^^DR ||IPaddresaof the agent tending the request 

REMOnnSJflOST JfttHy qualified dooamxttinoe of the aeeiu 



REMOrajPENT 



iideotity io^^nTTntTgntegggdjj^ 



about the connection 



IREQUESTJ^EIHOD 


[jniethod with which the lequest was ooade 




|SGRIPT_NAMH 


(jURI path that could identify the COI scdpt 




SERVERJ^AME 


[{name for this server 




SERVERJPORT 


Hport on which thli request was icocivcd 




SERVER JPROTOOOOL 


Ifname and levisbn of the xequcstb infbrmatiop protocol 




SERVER^SOFTWARE 


^name and vetwi of the infiinnation server software 
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APPENDIX D 

fPievio™] nndeocl [Next] 

Sample Server Configuration File 

f B<t)86 1,8 tgad.conf, swp yw_server, awp_d*v l/lfi/96 08:47:02 

# Copyright (C) 1995, 1996, sScuroMaw. Inc. 
ft All right* tMecvttd. 

f 

t Sample configuration filtt for Irtm.ad Oataway Agant senr«r 

I (Send a BjQbxjb to xunnino tgad to causa it to reread tliia file) 

I Global coafiguratioa information: 

# gii_uid UID of server procaeaa 

# SensitiTity label of eerrer process 

# «w.log WliAthez or not logging i« enabled 

# gw_log_fil« Location of log file 

I KOTE: The TGBl aexver' 9 logging aMchaniara is syperflnous if you 
t have auditing enabled, but if you wiah to enable it, cbange 

# 'gTf_log6' to 'gw_log' in the line below. 

config:9w_type-aerT«r:gw_uid#59:gH ol^lfST©! INSIDE: \ 

:gw_log«:gw_iog_fllWtcb/Iiles/tgad.logiohItent: 

f Prcjgcam enviroiOBant entziea. 

# &n environment entry specifies bbe attributes for sons set of CGI programs 
I (which set la determined later) ; 

# gw_root The directory to use aa the root for running the 

# prograffla(Tia the c;hxoot(2) system call) 

# 9w_dlr The directory (relative to gw_root) in which to look 

# for the executable filea; 

# gw_uid the user ID uith which to run the CGI programs 

^ The sensitivity label at which to run the programa 

# git_aceess Jkoceaaibility of programs in this erkrironment; 

# 'explicit' indicates that only programs with 
' explicit entries in this file may be run; 

t 'any' indicates that programs matching wildcard 

# entries may be run 

# Sanple environioent entry. 

# Note that in this exaspie, gw root is set to '/'; 

# that means that no chroot(2> Is performed, and all the COl programs in thia 

f environment have aooeaa to the entire filesystea on the host. Also note that 
< gw_ul<j and gw_sl are not set; they default to the attributes of 

# the TGA server, as set in the con f iff entry above. 

inside rgw_type-ettviranment!gw root-/:\ 

: g*_directory-/swp/lnalde/app/cgibini \ 
J9w_*ooc8a-cxplicit:chkent: ^ 

# Program entries. 

# A program entry specifies the name of the environinent to 

# use for a given program, and may slso specify these attributes: 

# gw^uid, gw_Bi As above; override the environment setting 

# gw_path Pathname oc file to execute,* allova a tga 

# olient link to have a different name frcna 

# the inside C(U program to which it snaps 

# gif_allowed Indicates whether or not the program is 

^ allowed to cxsar allows specific exclusion of 



(1) 
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* programs that vould othezwise be cleared th cough 
f a trildcaid entxy. 

ft The key £ifild of o program entry nafit ba the full paUmosao of th© progrma 

* aa pa3S«d vtQ Acgv(O) w hen the T f^ r^i^tyM- o^^^.,^^^ >.y ^"^^^tlTT 

g aerrcr. xho wildcard form ' */]c>a8exiama' allows a given baaenamo to match in 
J any direotory, oxtd 'di*ttAm£B/»" allowa an ontzy to raf©r to all programs in a 

* directory at onco. An entry named iz a default for programs not matching 

V aay other entriGs. 

VOTBi For puKpoeea of acooss contsol, "/bosanamo' and 'dimams/*' are 
oonsidared '«^lioit' entries, while ia not, 

* Sample (camrasnted oviz) entry for program 'nyprog* . 

* Ihia entry indcatoa that when the TOa client ia iniroJced as program 'asyprog' 

J and contacts tho eerrer, tho TGA aerver will rtin the program 'altprog' in 
^ the onvironmant specif lod by the 'inside' entry: 

• /mjfprog : gw__typQ-program; gvjsnv-inside :gw_allot7ed :gn_p«Ux°altprog;chto&t : 
0 Sasgile de£nult entry. 

^ Itacommant this entry to allow any program to run through the gateway (provide 
! the proper TGa client oslsta and the program is in the directory namad in the 

V 'inaida' enviroontsnt above). 

BOTE: It io more secure to have no default entry, tfith an arplicit entry for 
Q each program. 

fl * : gv_type«program: gujanva inside : gw_allowed ; ohkent : 
tf Sai^le esolttsion entry. 

0 If you use a wildcard entry, you oan selectively dioallow eseoution of 
Q ocms programs vi^i entries like the ono belobr. But, as noted aboirQ, oeourity 
through inclusion is better than security through exclusion. 

*/ba<^rog j g^^typ^c^rogram s gsf_alloweda : chkent : 



Lmt Updated: 2/2/96 
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What is claimed is: 

1. A computer based secure Web platform (SWP) imple- 
menting a mandatory access control policy to enable a 
plurality of remote users operating Web browsers commu- 
nicating HyperText Transfer Protocol (HTTP) data streams 
over the Internet access to CGI applications without com- 
promising the security of the SWP, comprising: 

a computer having a compartmentalized process and file 
structure separated in accordance with a mandatory 
access control policy into an outside compartment 
containing a Web server implementing HTTP to inter- 
face the SWP with the Internet and an inside compart- 
ment containing a plurahty of CGI applications; and 

a trusted gateway agent program for communicating 
between the outside compartment and the inside com- 
partment; the trusted gateway program further com- 
prising a gateway client program located in the outside 
compartment having a plurality of outside CGI links to 
CGI applications that are visible to the outside Web 
server and a gateway server program located in the 
inside compartment, wherein the outside CGI links are 
visible to the Web server and upon execution of an 
outside CGI link, a network Hnk is opened to the 
gateway server program which invokes the correspond- 
ing CGI application, wherein the gateway server pro- 
gram creates a new process and invokes the corre- 
sponding CGI apphcation and connects the HTTP data 
stream between the CGI application and the gateway 
client, and wherein the CGI application employs the 
HTTP data stream to communicate through the gate- 
way server program and gateway client program to the 
Web browser. 

2. The computer based secure Web platform as claimed in 
claim 1, the Web server further comprising the method step 
of implementing the chroot command to change the root 
directory of the Web server to a directory tree containing 
only the minimum set of files required for the Web server to 
operate. 

3. The computer based secure Web platform (SWP) as 
claimed in claim 2, the mandatory access control policy 
further comprising a plurality of sensitivity labels, wherein 
a sensitivity label of System Outside is assigned to any SWP 
files to which the Web server requires write access, a 
sensitivity label of System is assigned to any SWP files to 
which the Web server program requires read-only access, 
and a sensitivity label of System Inside is assigned for those 
SWP files to which the Web server does not have any access. 

4. The computer based secure Web platform (SWP) as 
claimed in claim 1, the compartmentalized process and file 
structure further comprising the step of: 

chrooting the CGI applications to run in an inside direc- 
tory completely separate from the Web server. 

5. The computer based secure Web platform (SWP) as 
claimed in claim 4, the mandatory access control policy 
further comprising a plurality of sensitivity labels, wherein 
the CGI appUcations will run with an SL of System Inside 
for files requiring write access and an SL of System for those 
files requiring read-only access. 

6. The computer based secure Web platform (SWP) as 
claimed in claim 4, further comprising a CGI link identifier 
for each CGI application, and wherein, all of the outside CGI 
link directories point to the gateway client program and the 
CGI link identifier identifies the corresponding CGI appli- 
cation to execute. 

7. The computer based secure Web platform (SWP) as 
claimed in claim 1, wherein the Web server executes an 
outside CGI link identified by the URL of the HTTP request 
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forwarded from the Web browser to establish communica- 
tion between the gateway client program and the gateway 
server program, wherein, the gateway server program veri- 
fies the validity of the CGI application request, and if 
5 verified, the gateway server program invokes the actual CGI 
application and connects the HTTP data stream such that the 
inside CGI application may execute. 

8. The computer based secure Web platform as claimed in 
claim 7, the gateway server program being initiaUzed 
directly at system boot time and enabled whenever the Web 
server is enabled, wherein the gateway server program 
listens for Internet protocol connection requests on the 
trusted gateway ageni port specified by /etc/services file on 
the secure Web platform, and only accepts connections 
emanating from the same computer host, and only if the 

^5 communication port of the connection request is in the 
privileged range. 

9. The computer based secure Web platform as claimed in 
claim 8, the gateway server program further comprising a 
configuration file (tcb/files/tgad.conf) read upon startup that 

20 specifies the attributes of the gateway server program (user 
ID, group ID, sensitivity label) as well as the set of CGI 
apphcations that may be run through the trusted gateway 
agent. 

10. The computer based secure Web platform as claimed 
25 in claim 9, further comprising a child process that is created 

by the gateway server program (via the fork(2) command) 
for executing the CGI application corresponding to each 
accepted connection. 

11. The computer based secure Web platform as claimed 
30 in claim 10, wherein, upon initialization, the gateway server 

.progracn reads the gateway server configuration file(/tcb/ 
files/tgad.conf) as well as the set of CGI applications that 
may be invoked by the gateway server program. 

12. The computer based secure Web platform as claimed 
35 in claim 9, wherein, the Web server invokes the netprivaddr 

privilege in order to bind to the reserved communication 
port (80 or 443) for HTTP requests, and wherein the gateway 
server program also requires netprivaddr privilege to bind to 
a reserved port, and wherein the gateway client program 
40 must have the netprivaddr privilege to initiate a connection 
on a reserved port which is required by the gateway server 
program. 

13. The computer based secure Web platform as claimed 
in claim 12, wherein the CGI applications inherit, through 

45 the gateway client and the gateway server, the environment 
variables, command line, and stand I/O file descriptors 
passed to it by Web server. 

14. The computer based secure Web platform as claimed 
in claim 9, the gateway server checking the cryptographic 

50 checksum of the CGI application executable file against a 
cryptographically strong checksum stored in the configura- 
tion file, and if the checksum do not match, the request is 
rejected. 

15. A method for implementing a mandatory access 
55 control policy on a computer based secure web platform 

(SWP) having a compartmentalized process and file struc- 
ture separated in accordance with a mandatory access con- 
trol policy enabling a plurality of remote users operating 
Web browsers communicating HyperText Transfer Protocol 
60 (HTTP) data streams over the Internet access to CGI appli- 
cations without compromising the security of the SWP, 
comprising the method steps of: 

separating the file structure of a computer into an outside 
compartment containing a Web server implementing 
65 HTIT to interface the SWP with the Internet and an 
inside compartment containing a plurality of CGI 
apphcations, and 
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communicating between the outside compartment and the 
inside compartment with a trusted gateway agent pro- 
gram having a gateway client program located in the 
outside compartment with a plurality of outside CGI 
links to CGI applications that are visible to the outside 
Web server and a gateway server program located in the 
inside compartment, 

chrooting the root directory of the Web server to a 
directory tree containing only the minimum set of files 
required for the Web server to operate, 

assigning an a link identifier to the CGI applications such 
that all of the outside CGI link directories point to the 
gateway client program and the link identifier identifies 
the corresponding CGI apphcation to execute, 

invoking the trusted gateway agent to communicate 
between the outside compartment and the inside 
compartment, 

verifying the validity of the HTTP request from the Web 
server to execute a CGI application, 

establishing a connection between the gateway client 
program and the gateway server program, 

transferring gateway client program environment and 
argument vectors to gateway server program, 

verifying the vaHdity of the CGI request, 

chrooting the CGI applications to run in an inside direc- 
tory completely separate from the Web server, 

invoking the CGI application and connecting the HTTP 
data stream if the CGI request is valid. 

16. The method for implementing a mandatory access 
control policy on a computer based secure web platform 
(SWP) as claimed in claim 15, further comprising the step 
of assigning sensitivity labels in accordance with a manda- 
tory access policy the mandatory access control policy, 35 
wherein a sensitivity label of System Outside is assigned to 
any SWP files to which the Web server requires write access, 

a sensitivity label of System is assigned to any SWP files to 
which the Web server program requires read-only access, 
and a sensitivity label of System Inside is assigned for those 40 
SWP files to which the Web server does not have any access. 

17. The method for implementing a mandatory access 
control pohcy on a computer based secure web platform 
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(SWP) in accordance with claim 15, the step of assigning 
sensitivity labels further comprises the step of assigning the 
CGI applications a SL of System Inside for files requiring 
write access and an SL of System for those files requiring 
read-only access. 

18. The method for implementing a mandatory access 
control pohcy on a computer based secure web platform 
(SWP) in accordance with claim 15, the step of invoking the 
trusted gateway agent, further comprising the execution of 
an outside CGI link such that a network link is opened to the 
gateway server program. 

19. The method for implementing a mandatory access 
control pohcy on a computer based secure web platform 
(SWP) in accordance with claim 18, the step of verifying the 
validity of the HTTP request further comprises the step of 
checking for the netprivaddr privilege as the such privilege 
is required to bind to the local HTTP port. 

20. The method for implementing a mandatory access 
control pohcy on a computer based secure web platform 
(SWP) in accordance with claim 19, the step of verifying the 
validity of the CGI request further comprises the step of 
comparing the trusted gateway agent configuration file to 
determine if the gateway client program name is a valid 
request, and if so, what program to execute and with what 
attributes. 

21. The method for implementing a mandatory access 
control pohcy on a computer based secure web platform 
(SWP) in accordance with claim 20, the step of invoking the 
CGI application and connecting the HTTP data stream 
further comprising the step of striping the environment of all 
variables that are not specified by the CGI protocol if the 
CGI request is vahd, 

which then invokes the corresponding CGI application, 
and the gateway server program further comprising the 
step of creating a new process and invoking the corre- 
sponding CGI application and connects the HTTP data 
stream between the CGI application and the gateway 
client, and wherein the CGI application employs the 
HTTP data stream to communicate through the gate- 
way server program and gateway client program to the 
Web browser. 
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